2025-12-14 13:59:16 -03:00
# services/nextcloud/deployment.yaml
apiVersion : apps/v1
kind : Deployment
metadata :
name : nextcloud
namespace : nextcloud
labels :
app : nextcloud
spec :
replicas : 1
selector :
matchLabels :
app : nextcloud
template :
metadata :
labels :
app : nextcloud
spec :
nodeSelector :
hardware : rpi5
securityContext :
fsGroup : 33
runAsUser : 33
runAsGroup : 33
initContainers :
2026-01-07 08:43:45 -03:00
- name : db-reset
image : postgres:16-alpine
command : [ "/bin/sh" , "-c" ]
args :
- |
set -e
mkdir -p /var/www/html/config
if [ ! -f /var/www/html/config/.db_initialized ]; then
rm -f /var/www/html/config/config.php || true
2026-01-07 08:46:57 -03:00
psql "host=${POSTGRES_HOST} user=${POSTGRES_USER} password=${POSTGRES_PASSWORD} dbname=${POSTGRES_DB}" -v ON_ERROR_STOP=1 -c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO PUBLIC;"
2026-01-07 08:43:45 -03:00
touch /var/www/html/config/.db_initialized
chown 33:33 /var/www/html/config/.db_initialized || true
fi
env :
- name : POSTGRES_HOST
value : postgres-service.postgres.svc.cluster.local
- name : POSTGRES_DB
valueFrom :
secretKeyRef :
name : nextcloud-db
key : database
- name : POSTGRES_USER
valueFrom :
secretKeyRef :
name : nextcloud-db
key : db-username
- name : POSTGRES_PASSWORD
valueFrom :
secretKeyRef :
name : nextcloud-db
key : db-password
volumeMounts :
- name : nextcloud-config-pvc
mountPath : /var/www/html/config
2025-12-14 13:59:16 -03:00
- name : fix-perms
image : alpine:3.20
command : [ "/bin/sh" , "-c" ]
args :
- |
2026-01-06 14:40:29 -03:00
if [ ! -s /var/www/html/config/config.php ]; then
rm -f /var/www/html/config/config.php || true
fi
2026-01-07 08:43:45 -03:00
mkdir -p /var/www/html/config /var/www/html/data /var/www/html/custom_apps || true
if [ ! -s /var/www/html/config/config.php ]; then
rm -f /var/www/html/data/.ocdata || true
fi
if [ -s /var/www/html/config/config.php ] && [ ! -f /var/www/html/data/.ocdata ]; then
2026-01-07 04:49:55 -03:00
touch /var/www/html/data/.ocdata
fi
if [ -s /var/www/html/config/config.php ] && ! grep -q "'installed'" /var/www/html/config/config.php; then
sed -i "/^);/i\\ 'installed' => true," /var/www/html/config/config.php
fi
2026-01-07 08:43:45 -03:00
chown -R 33:33 /var/www/html/config /var/www/html/data /var/www/html/custom_apps || true
2025-12-14 13:59:16 -03:00
securityContext :
runAsUser : 0
runAsGroup : 0
volumeMounts :
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-pvc
mountPath : /var/www/html/config
- name : nextcloud-custom-apps
mountPath : /var/www/html/custom_apps
2026-01-07 04:41:00 -03:00
- name : nextcloud-user-data
mountPath : /var/www/html/data
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-extra
2025-12-14 13:59:16 -03:00
mountPath : /var/www/html/config/extra.config.php
subPath : extra.config.php
2026-01-06 14:46:16 -03:00
- name : install-nextcloud
image : nextcloud:29-apache
2026-01-06 14:52:25 -03:00
securityContext :
runAsUser : 0
runAsGroup : 0
2026-01-06 14:46:16 -03:00
command : [ "/bin/sh" , "-c" ]
args :
- |
2026-01-06 21:24:36 -03:00
installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)"
2026-01-07 08:43:45 -03:00
if [ ! -s /var/www/html/config/config.php ]; then
2026-01-06 21:24:36 -03:00
su -s /bin/sh www-data -c "php /var/www/html/occ maintenance:install --database pgsql --database-host \"${POSTGRES_HOST}\" --database-name \"${POSTGRES_DB}\" --database-user \"${POSTGRES_USER}\" --database-pass \"${POSTGRES_PASSWORD}\" --admin-user \"${NEXTCLOUD_ADMIN_USER}\" --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --data-dir /var/www/html/data"
2026-01-06 21:07:33 -03:00
chown 33:33 /var/www/html/config/config.php || true
chown -R 33:33 /var/www/html/data || true
2026-01-06 14:46:16 -03:00
fi
2026-01-06 21:35:31 -03:00
installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)"
if [ "${installed}" = "true" ]; then
2026-01-07 00:03:57 -03:00
configure_oidc() {
su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_provider_url --value='https://sso.bstein.dev/realms/atlas'"
su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_id --value='${OIDC_CLIENT_ID}'"
su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_secret --value='${OIDC_CLIENT_SECRET}'"
su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_auto_redirect --type=boolean --value=true"
su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_hide_password_form --type=boolean --value=true"
2026-01-07 00:12:21 -03:00
su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_disable_registration --type=boolean --value=false"
2026-01-07 00:03:57 -03:00
}
2026-01-07 08:43:45 -03:00
configure_office() {
su -s /bin/sh www-data -c "php /var/www/html/occ config:app:set richdocuments wopi_url --value='https://office.bstein.dev'"
su -s /bin/sh www-data -c "php /var/www/html/occ config:app:set richdocuments public_wopi_url --value='https://office.bstein.dev'"
}
2026-01-06 22:16:51 -03:00
ensure_mime_defaults() {
cfg_dir="/var/www/html/resources/config"
mkdir -p "${cfg_dir}"
if [ ! -s "${cfg_dir}/mimetypemapping.dist.json" ]; then
curl -fsSL https://raw.githubusercontent.com/nextcloud/server/v29.0.16/resources/config/mimetypemapping.dist.json -o "${cfg_dir}/mimetypemapping.dist.json" || true
fi
if [ ! -s "${cfg_dir}/mimetypealiases.dist.json" ]; then
curl -fsSL https://raw.githubusercontent.com/nextcloud/server/v29.0.16/resources/config/mimetypealiases.dist.json -o "${cfg_dir}/mimetypealiases.dist.json" || true
fi
chown -R 33:33 "${cfg_dir}" || true
}
2026-01-06 21:39:55 -03:00
install_app() {
app="$1"
url="$2"
target="/var/www/html/custom_apps/${app}"
2026-01-06 22:09:16 -03:00
rm -rf "${target}"
mkdir -p /tmp/nextcloud-apps
curl -fsSL "${url}" -o "/tmp/nextcloud-apps/${app}.tar.gz"
tar -xzf "/tmp/nextcloud-apps/${app}.tar.gz" -C /var/www/html/custom_apps
rm -f "/tmp/nextcloud-apps/${app}.tar.gz"
chown -R 33:33 "${target}"
su -s /bin/sh www-data -c "php /var/www/html/occ app:enable --force ${app}" || true
2026-01-06 21:39:55 -03:00
}
2026-01-07 08:58:50 -03:00
reset_external_config() {
su -s /bin/sh www-data -c "php /var/www/html/occ app:remove external" || true
su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_privkey_es256" || true
su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_pubkey_es256" || true
su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_privkey_ed25519" || true
su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_pubkey_ed25519" || true
}
2026-01-07 08:43:45 -03:00
ensure_app() {
app="$1"
2026-01-07 08:58:50 -03:00
target="/var/www/html/custom_apps/${app}"
rm -rf "${target}"
su -s /bin/sh www-data -c "php /var/www/html/occ app:remove ${app}" || true
2026-01-07 08:43:45 -03:00
su -s /bin/sh www-data -c "php /var/www/html/occ app:install --force ${app}" || true
su -s /bin/sh www-data -c "php /var/www/html/occ app:enable --force ${app}" || true
}
2026-01-06 22:16:51 -03:00
ensure_mime_defaults
2026-01-07 08:58:50 -03:00
reset_external_config
2026-01-06 22:03:01 -03:00
install_app external https://github.com/nextcloud-releases/external/releases/download/v5.4.1/external-v5.4.1.tar.gz
2026-01-06 22:09:16 -03:00
install_app mail https://github.com/nextcloud-releases/mail/releases/download/v3.7.24/mail-stable3.7.tar.gz
2026-01-07 08:51:07 -03:00
ensure_app oidc_login
2026-01-07 08:43:45 -03:00
ensure_app richdocuments
configure_office
2026-01-07 00:03:57 -03:00
configure_oidc
2026-01-06 21:35:31 -03:00
fi
2026-01-06 14:46:16 -03:00
env :
- name : POSTGRES_HOST
value : postgres-service.postgres.svc.cluster.local
- name : POSTGRES_DB
valueFrom :
secretKeyRef :
name : nextcloud-db
key : database
- name : POSTGRES_USER
valueFrom :
secretKeyRef :
name : nextcloud-db
key : db-username
- name : POSTGRES_PASSWORD
valueFrom :
secretKeyRef :
name : nextcloud-db
key : db-password
- name : NEXTCLOUD_ADMIN_USER
valueFrom :
secretKeyRef :
name : nextcloud-admin
key : admin-user
- name : NEXTCLOUD_ADMIN_PASSWORD
valueFrom :
secretKeyRef :
name : nextcloud-admin
key : admin-password
2026-01-07 00:03:57 -03:00
- name : OIDC_CLIENT_ID
valueFrom :
secretKeyRef :
name : nextcloud-oidc
key : client-id
- name : OIDC_CLIENT_SECRET
valueFrom :
secretKeyRef :
name : nextcloud-oidc
key : client-secret
2026-01-06 14:46:16 -03:00
volumeMounts :
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-pvc
mountPath : /var/www/html/config
- name : nextcloud-custom-apps
mountPath : /var/www/html/custom_apps
2026-01-07 04:41:00 -03:00
- name : nextcloud-user-data
mountPath : /var/www/html/data
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-extra
2026-01-06 14:46:16 -03:00
mountPath : /var/www/html/config/extra.config.php
subPath : extra.config.php
2025-12-14 13:59:16 -03:00
containers :
- name : nextcloud
image : nextcloud:29-apache
imagePullPolicy : IfNotPresent
env :
# DB (external secret required: nextcloud-db with keys username,password,database)
- name : POSTGRES_HOST
value : postgres-service.postgres.svc.cluster.local
- name : POSTGRES_DB
valueFrom :
secretKeyRef :
name : nextcloud-db
key : database
- name : POSTGRES_USER
valueFrom :
secretKeyRef :
name : nextcloud-db
key : db-username
- name : POSTGRES_PASSWORD
valueFrom :
secretKeyRef :
name : nextcloud-db
key : db-password
# Admin bootstrap (external secret: nextcloud-admin with keys admin-user, admin-password)
- name : NEXTCLOUD_ADMIN_USER
valueFrom :
secretKeyRef :
name : nextcloud-admin
key : admin-user
- name : NEXTCLOUD_ADMIN_PASSWORD
valueFrom :
secretKeyRef :
name : nextcloud-admin
key : admin-password
- name : NEXTCLOUD_TRUSTED_DOMAINS
value : cloud.bstein.dev
- name : OVERWRITEHOST
value : cloud.bstein.dev
- name : OVERWRITEPROTOCOL
value : https
- name : OVERWRITECLIURL
value : https://cloud.bstein.dev
# SMTP (external secret: nextcloud-smtp with keys username, password)
- name : SMTP_HOST
value : mail.bstein.dev
- name : SMTP_PORT
value : "587"
- name : SMTP_SECURE
value : tls
- name : SMTP_NAME
valueFrom :
secretKeyRef :
name : nextcloud-smtp
key : smtp-username
- name : SMTP_PASSWORD
valueFrom :
secretKeyRef :
name : nextcloud-smtp
key : smtp-password
- name : MAIL_FROM_ADDRESS
value : no -reply
- name : MAIL_DOMAIN
value : bstein.dev
# OIDC (external secret: nextcloud-oidc with keys client-id, client-secret)
- name : OIDC_CLIENT_ID
valueFrom :
secretKeyRef :
name : nextcloud-oidc
key : client-id
- name : OIDC_CLIENT_SECRET
valueFrom :
secretKeyRef :
name : nextcloud-oidc
key : client-secret
- name : NEXTCLOUD_UPDATE
value : "1"
- name : APP_INSTALL
value : "mail,oidc_login,external"
ports :
- containerPort : 80
name : http
volumeMounts :
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-pvc
mountPath : /var/www/html/config
- name : nextcloud-custom-apps
mountPath : /var/www/html/custom_apps
2026-01-07 04:41:00 -03:00
- name : nextcloud-user-data
mountPath : /var/www/html/data
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-extra
2025-12-14 13:59:16 -03:00
mountPath : /var/www/html/config/extra.config.php
subPath : extra.config.php
2026-01-07 04:41:00 -03:00
resources :
2025-12-14 13:59:16 -03:00
requests :
cpu : 250m
memory : 1Gi
limits :
cpu : 1
memory : 3Gi
volumes :
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-pvc
persistentVolumeClaim :
claimName : nextcloud-config
- name : nextcloud-custom-apps
2026-01-07 03:39:59 -03:00
persistentVolumeClaim :
2026-01-07 08:43:45 -03:00
claimName : nextcloud-custom-apps
2026-01-07 04:41:00 -03:00
- name : nextcloud-user-data
persistentVolumeClaim :
claimName : nextcloud-user-data
2026-01-07 08:43:45 -03:00
- name : nextcloud-config-extra
2025-12-14 13:59:16 -03:00
configMap :
name : nextcloud-config
defaultMode : 0444
